[wp-trac] [WordPress Trac] #14888: PHPMailer class uses wrong/no sender for mail envelope
WordPress Trac
noreply at wordpress.org
Thu Oct 18 17:06:49 UTC 2012
#14888: PHPMailer class uses wrong/no sender for mail envelope
-----------------------------------------+-----------------------------
Reporter: gkusardi | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: External Libraries | Version: 3.0
Severity: normal | Resolution:
Keywords: reporter-feedback has-patch |
-----------------------------------------+-----------------------------
Comment (by Whissi):
Replying to [comment:17 tigertech]:
> More generally, you're focusing on a specific piece of technology, SPF
(or DKIM, or SMTP callbacks, or whatever else this might break), but
that's too narrow a focus. What people seem to be missing is that
regardless of SPF, or DKIM, or anything else, it's just generally a bad
idea to send mail claiming to be from (say) gmail.com if your mail server
isn't gmail.com. There are all sorts of possible reasons that some
recipients will think you're forging headers if you do that (including
naive custom filters on the receiving end), and the mail won't be
delivered. The average user isn't going to expect that problem.
I partly agree: When you are not authorized to use a specific domain, you
shouldn't use this domain. Right. But it would be another discussion, if
you are authorized to send as "foo[@]gmail.com", when you "own" this
address. Currently, we cannot make this decission per address. When we
assume we are (and I do!) authorized, then it is ok.
Well, because we are using a domain someone else is owning, we have to
deal with the email policy the owner has published (e.g. SPF, DKIM...) but
that's the problem of the person, who wants to send as "foo[@]gmail.com".
Because I also have a background as administrator, I can understand your
wish to prevent somebody from doing things he/she shouldn't do. But you
cannot. And more important: You shouldn't! As administrator you should
just care about your systems and your domains. If you want to use SPF or
something else, it is you choice to do that. You can say "Nobody expected
my server 1.2.3.4 is allowed to send mails as [@]example.org". That's ok.
But when my server for example will get a mail from someone claiming to be
you ([@]example.org), it is my decission if I will do some checks. I can
see via DNS that you, the owner of example.org, has published any mail
policies, but it is my decission if I will follow your policy and block
the mail, because it wasn't send from 1.2.3.4 or any other check your
policy requires failed.
I would fully agree with you, when there wouldn't be any legit reasons to
set a sender via software. But there are reasons (as I mentioned before).
Coming back to this ticket:
I would close it as invalid, because it is the server used by gkusardi,
which isn't configured properly. Because WordPress cannot determine the
right email domain, it shouldn't set any.
But I still vote for a feature which would allow you to set the envelope
sender via WordPress. At least via PHP constant, like we use for other
expert settings.
For now, we can use PHP's .user.ini or PATH directive to set PHP's
sendmail_* settings per directory. This would at least allow someone to
use multiple application in one domain with different sender addresses
like shop[@]example.org for the online-shop application in /shop and
wordpress[@]example.org for the blog running in /blog in the same domain.
@ tigertech: If you would still vote against such a feature, could you
please explain why? I mean, setting it via .user.php/PHP configuration or
WordPress configuration, what makes the different? Keep in mind that you
cannot use PHP's PATH directive via PHP-FPM right now.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14888#comment:19>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list